My home VR setup "Holodeck" - Metaverse gaming/social/work - simracing/simflight youtu.be/eKomzQTztkQ

Parliamo di AI. Henri Bergson, 1907, L'Évolution créatrice. C'è una vespa, la Sphex, che paralizza il bruco di cui si nutre la sua larva colpendolo con il pungiglione esattamente nei nove gangli nervosi giusti, in sequenza, senza margine di errore. Non ha mai studiato anatomia. Non ha studiato niente. Lo fa e basta, dalla prima volta, perfettamente, ogni volta. Bergson si ferma su quel gesto e prova a rispondere a una domanda che oggi sembra cretina e invece è la più seria di tutte: di che cosa stiamo parlando, esattamente, quando una creatura compie un atto prodigioso senza sapere quello che fa? Lo chiama istinto, lo distingue dall'intelligenza, e mette in chiaro una cosa: se la vespa non sa, qualcosa sa attraverso di lei. Però non abbiamo parlato di AI.

Nooooooooooooooo @Cloudflare; telling folks to store 2FA codes in their password manager defeats the purpose of 2FA!

Let's shift focus and explain why the #EU #AgeVerification concept is fundamentally flawed. Assume: 1. The production app is released. 2. It's 100% secure, 100% private (fantasy land, but stick with me) 3. It cryptographically challenges every step, including hardware attestation which requires a physical device. 4. Every single other attack vector in the surrounding environment is somehow magically patched. aka - it's working exactly as intended/designed. It does not protect against a relay attack. This is a threat they considered and somewhat addressed here: github.com/eu-digital-identi… With the current design, there's nothing preventing someone running a verification-as-a-service; a remote Android device which returns a valid attestation. Remember, it's not returning "I am over 18", it returns "someone is over 18". Neither the verifier, nor the app has any way to link the session ID to a physical device. Their own docs state this clearly: Remote Cross-Device Presentation: "Note that the Wallet Instance does not see any difference between the cross-device flow and the same-device flow. In both cases, it receives an OpenID4VP-compliant presentation request over the Wallet Instance-platform API described in the previous section." This is a known & well-understood attack vector in all remote credential presentation models; it's just not mitigated in this one... primarily because they can't. CTAP 2.2 won't work with all app flows, hardware attestation doesn't mitigate relay attacks, on-demand liveness detection would be too intrusive & potentially privacy-invasive & timing calculations don't reveal anything useful... all the available options to resolve this break the core design; completely anonymous age verification. The Architecture & Reference Framework (ARF) is technically sound in some respects. They considered external threat actors and discussed solutions to mitigate them, including ZKP. However, the EC applied the wrong threat model, thus arriving at the wrong conclusion. Yes, you need to protect against malicious verifiers, phishing sites, session hijacks, data brokers et al... but that's addressing external threats, it doesn't protect the architecture from the user itself. In virtually every other scenario, the user and system's interests are aligned; protect my biometric asset at all costs. Specifically for age verification, most users do not want to present ID simply to access a website, so whilst the system may adequately protect from external threats, if the user wants to bypass the system, they can... and the architecture doesn't consider this. Every single applied mitigation assumes the user is the protected party, not the threat actor. To those people claiming "it requires physical access to the device and root, this is BS/hyperbole", you too applied the wrong threat model & completely missed the point. These disclosures demonstrate that you, the user, are the threat actor they haven't considered. You have your device. You can root your device. You can create a chrome extension, just as I did. Ironically, it's precisely those under 18 who can't pass verification who are motivated to bypass it. So where does that leave us? A system which replaces "I am over 18" with "someone is over 18", with absolutely no guarantee that it's true... which is the entire purpose of the app.

‼️🇪🇺 The EU's new Age Verification app was hacked with little to no effort. When you set it up, the app asks you to create a PIN. But that PIN isn't actually tied to the identity data it's supposed to protect. An attacker can delete a couple of entries from a file on the phone, restart the app, pick a new PIN, and the app happily hands over the original user's verified identity credentials as if nothing happened. It gets worse. The app's "too many attempts" lockout is just a counter in a text file. Reset it to 0 and keep guessing. The biometric check (face/fingerprint) is a simple on/off switch in the same file. Flip it to off and the app skips it entirely.

Hacking the #EU #AgeVerification app in under 2 minutes. During setup, the app asks you to create a PIN. After entry, the app *encrypts* it and saves it in the shared_prefs directory. 1. It shouldn't be encrypted at all - that's a really poor design. 2. It's not cryptographically tied to the vault which contains the identity data. So, an attacker can simply remove the PinEnc/PinIV values from the shared_prefs file and restart the app. After choosing a different PIN, the app presents credentials created under the old profile and let's the attacker present them as valid. Other issues: 1. Rate limiting is an incrementing number in the same config file. Just reset it to 0 and keep trying. 2. "UseBiometricAuth" is a boolean, also in the same file. Set it to false and it just skips that step. Seriously @vonderleyen - this product will be the catalyst for an enormous breach at some point. It's just a matter of time.

🛡️ La nuova app #UE per la verifica dell'età dei minori è un colabrodo: dati biometrici esposti, sistema aggirabile troppo facilmente. Un progetto pensato per proteggere i giovani che non riesce a proteggere nemmeno sé stesso. 👉 youtube.com/watch?v=SL6l5aKv… #privacy #techpolicy

VR devs should take note

Dato il successo che sta ottenendo, mi tocca fare coming out: ho avuto io la stupida idea di creare #PUCS, il portale (satirico) della PA più pazzo del mondo. pucs.it Mi sono decisamente divertito a farlo, spero abbia strappato un sorriso anche a voi.

La polizia ha pubblicato una foto degli scontri di Torino modificata con l’AI ilpost.link/dkFtNAqelk

Fun fact: ho visitato l'unico sito italiano con obbligo age verification per vedere se han implementato i controlli previsti da AGCOM, e da allora il sito web di @repubblica mostra roba hentai (negli ADV).

Giuro che è andata così. Stavo giocando in VR con un amico, audio da remoto "Ehi pausa, $figlia (12 ANNI) deve chiedermi qualcosa" ... "Papà alzi il visore che ti faccio una foto?" "Oh 💘 ok" .. "Ma amore, come mai?" "Eh niente, me l'ha chiesto Roblox".

Raccomando ai siti porno di disattivare l'incolla di clipboard per sicurezza de no'altri, il token va digitato tutto.

L'unico sito italiano nella lista dei 46 porno agcom. Hentai a parte, ha il TOS (Terms and Conditions) porno, alcuni legal nerd si eccitano così. (Tralascio il fatto che è il paese in cui son cresciuto, il che è sospetto 😅)

Impressionante come Apple consideri l'Italia un mercato irrilevante. (Ho il primo visionPro, comprato in USA a febbraio 2024, da allora han aperto a vari mercati, e quella è la lista dei mercati del nuovo modello)

Qui su X vedo roba falsa, nei commenti chiamano Grok, che conferma che è falsa. Quindi mi chiedo cosa aspettano a fare dei community notes con AI. Ma poi mi rispondo "per non abbassare il volume utenti di X" x.com/Frenkie_Woody/status/1…

I reimagined my living room with World Labs. Gemini helped design it, World Labs generated the 3D environment, and VPS localized it to my space 1:1 scale. I can now step into a persistent redesign in mixed reality and explore it as though it exists physically. How it was built:

It's the economics. No developer can afford to pay the inference cost for every conversation you have with an NPC. So either you pass that on to the user, at an exorbitant price, or run the model locally, which would tank the performance of the game.

Per chi è interessato ad analisi su #PiracyShield, riporto i rif. di un paper recente su (in)efficacia & collateral blocking dei ticket in @AGCOMunica APS. edu.nl/khcra Autori : @RaffySommy - Anna Sperotto - @antoniopradoit - Jeroen van der Ham - Antonia Affinito